Data Protection Risks on DAX-30 Websites

Created 8. March 2021

With the DSGVO and the ePrivacy Directive (and maybe soon the ePrivacy Regulation), the EU has introduced regulations that have required a lot of implementation work from companies. Since the groundbreaking judgments of the European Court of Justice and the Federal Court of Justice in 2020, there have been increasing efforts by companies to make their company websites compliant: the number of simple cookie banners is declining, more and more websites are using consent management tools that allow visitors allow you to choose whether or not to consent to the processing of your personal data.

With our software decareto Compliance Monitoring we took a closer look at the websites of the largest German companies listed in the DAX-30. You should be able to assume that these are mostly compliant with EU data protection laws (spoilers: they are not). In any case, it cannot be due to a lack of know-how or personnel in the compliance and IT departments.

The results: consent tools

Only two of the DAX 30 companies do without a consent tool and indicate the use of cookies without offering the option of consent. A third of the websites use an in-house development or an open source product unknown to us to manage consent. Among the commercial solutions, OneTrust leads with 7 websites ahead of the Lithuanian product “Cookie Script” (3 websites), followed by Usercentrics and Cookiebot (2 each). However, a look at the effectiveness of the tools shows that for many DAX 30 companies they are primarily of a fig leaf nature. Cookies and trackers

decareto determines which cookies a website sets and which external service is the originator of the cookies, from which their purpose can also be derived. External services with the purpose of "analytics" or "advertising" should not be loaded without consent, and they should therefore not be able to set cookies. In fact, however, the majority of websites (77%) already place such cookies when the page is loaded - even though practically all of these websites use a consent tool to give the impression of allowing an "informed decision".

Schrems II and the consequences

Considering that the European Court of Justice overturned the Privacy Shield certificate in mid-2020, almost all of the 30 company websites examined violate EU laws, at least when they are strictly interpreted: 90% of the websites transmit personal data (through IP address or cookies) without prior consent to the "unsafe third country" USA. If you only look at non-functional services or cookies, it's still 80%.

These violations are easy to explain in the functional services: Google Fonts, Google Tag Manager, CloudFlare and Youtube are represented here with 30% or more. There is often no inexpensive European alternative for these services, or conversion (as with Google Fonts) is time-consuming.

However, it is incomprehensible that a third of the websites integrate the advertising service Doubleclick and thus transfer data. The most likely explanation for this is carelessness, because "extended data protection settings" must be actively selected when embedding YouTube videos in order to prevent the double-click tracker from being reloaded. 33% of the companies probably did not take this into account.

overall rating

With the decareto risk score, we evaluate the number of vulnerabilities found on a website with a value from A to F. We were only able to assign a score of A to 2 of the DAX-30 websites, at least 9 more have a score of B and thus only a few weaknesses. A third of the companies have a score of D or worse, which is something that large companies cannot really be satisfied with.

Author: Eckhard Schneider

Back to overview